Date post: | 19-Jan-2015 |
Category: |
Technology |
Upload: | defcamp |
View: | 2,769 times |
Download: | 0 times |
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Raoul “Nobody” Chiesa
Founder, President, Security Brokers SCpA
Principal, Cyberdefcon Ltd. Member of ENISA PSG (Permanent Stakeholders Group)
Special Advisor on the HPP project at UNICRI
Peering in the Soul of Hackers:
HPP V2.0 reloaded
(The Hacker’s Profiling Project)
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Agenda
# whois
From Crime to Cybercrime
Hacker’s generations
HPP V1.0 (2004-2011)
HPP V2.0 (2011-2015)
Conclusions
Contacts, Q&A
2
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Disclaimer
● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI, ENISA and its PSG, nor the companies and security communities I’m working at and/or supporting.
3
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
# whois raoul President, Founder, The Security Brokers
Principal, CyberDefcon UK
HPP Special Advisor @ UNICRI (United Nations Interregional
Crime & Justice Research Institute)
PSG Member, ENISA (Permanent Stakeholders Group,
European Network & Information Security Agency)
Founder, Board of Directors and Technical Commitee
Member @ CLUSIT (Italian Information Security Association)
Steering Committee, AIP/OPSI, Privacy & Security
Observatory
Member, Manager of the WG «Cyber World» at Italian MoD
Board of Directors, ISECOM
Board of Directors, OWASP Italian Chapter
4
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
# whois UNICRI UNICRI is the United Nations Crime & Justice Research
Institute
It’s based in Turin (WHQ), Italy: nice town, give us a
visit!
We mainly work on:
• Trainings (Legal aspects, Cybercrime, SCADA,
HPP, …)
• Facilitator: allowing cool (and trusted!) entities
to meet and work each others
• Paperworks (somebody gotta do it…) 5
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
6
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
“Every new technology,
opens the door to new criminal approaches”.
The relationship between technologies and criminality has always been – since the very beginning – characterized by a kind of “competition” between the good and the bad guys, just like cats and mice.
As an example, at the beginning of 1900, when cars appeared, the “bad guys” started stealing them (!)
….the police, in order to contrast the phenomenon, defined the mandatory use of car plates…
….and the thieves began stealing the car plates from the cars (and/or falsifying them).
Crime->Yesterday
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Cars have been substituted by information
You got the information, you got the power..
(at least, in politics, in the business world, in our personal relationships…)
• Simply put, this happens because the “information” can be transformed at once into “something else”:
1. Competitive advantage
2. Sensible/critical information 3. Money
… that’s why all of us we want to “be secure”.
It’s not by chance that it’s named “IS”: Information Security
Crime->Today:Cybercrime
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
What happened over the past decades?
Hacking eras & Hackers’ generations
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
First generation (70’s) was inspired by the need for
knowledge
Second generation (1980-1984) was driven by curiosity plus
the knowledge starving: the only way to learn OSs was to
hack them; later (1985-1990) hacking becomes a trend.
The Third one (90’s) was simply pushed by the anger for
hacking, meaning a mix of addiction, curiosity, learning
new stuff, hacking IT systems and networks, exchanging
info with the underground community. Here we saw new
concepts coming, such as hacker’s e-zines (Phrack, 2600
Magazine) along with BBS
Fourth generation (2000-today) is driven by angerness and
money: often we can see subjects with a very low know-how, thinking that it’s “cool & bragging” being hackers,
while they are not interested in hacking & phreaking history, culture and ethics. Here hacking meets with politics
(cyber-hacktivism) or with the criminal world (cybercrime).
Things changed…
€, $
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
QUESTION: • May we state that cybercrime – along with its many, many
aspects and views – can be ranked as #1 in rising trend and global diffusion ?
ANSWER(S): Given that all of you are attendees and speakers here today, I
would say that we already are on the right track in order to analyze the problem
Nevertheless, some factors exist for which the spreading of “e-crime-based” attacks relays.
Let’s take a look at them.
Cybercrime: why?
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
1. There are new users, more and more
every day: this means the total amount
of potential victims and/or attack
vectors is increasing.
2. Making money, “somehow and
straight away”.
3. Technical know-how public
availability & ready-to-go, even when
talking about average-high skills: that’s what I name “hacking pret-à-porter”
Reasons/1
Thanks to
broadband...
WW Economical
crisis…
0-days, Internet
distribution
system / Black
Markets
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
4. It’s extremely easy to recruit “idiots” and set up groups, molding those
adepts upon the bad guy’s needs (think about e-mules)
5. “They will never bust me”
6. Lack of violent actions
Reasons/2
Newbies,
Script Kids
Psychology, Criminology
Psychology and
Sociology
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013 14
What’s really changed is the attacker’s typology
From “bored teens”, doing it for “hobby and curiosity” (obviously: during night, pizza-hut’s box on the floor and cans of Red Bull)….
...to teenagers and adults not mandatory “ICT” or “hackers”: they just do it for the money.
What’s changed is the attacker’s profile, along with its justifications, motivations and reasons.
Let’s have a quick test!
What the heck is changed then??
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Hackers in their environment
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
“Professionals”
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
LOL-test
17
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Why were the guys in the first slide hackers, and the others professionals ?
Because of the PCs ?
Because of their “look” ?
Due to the environments surrounding them ?
Because of the “expression on their faces” ?
There’s a difference: why?
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Erroneus media information pushed
“normal people” minds to run this
approach
Today, sometimes the professionals
are the real criminals, and hackers
“the good guys”…Think about a few
incidents:
• Telecom Italia scandal, Vodafone
Greece Affair, NSA, GCHQ, etc…)
Surprise! Everything has changed…
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Welcome to HPP!
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP V1.0 Back in 2004 we launched the Hacker’s
Profiling Project - HPP: http://www.unicri.it/emerging_crimes/cybercrime/
cyber_crimes/hpp.php)
Since that year:
• +1.200 questionnaires collected & analyzed
• 9 Hackers profiles emerged
• Two books (one in English)
• Profilo Hacker, Apogeo, 2007
• Profiling Hackers: the Science of Criminal
Profiling as Applied to the World of Hacking, Taylor&Francis Group, CRC Press (2009)
21
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP V1.0: purposes & goals
22
Analyse the hacking phenomenon in its several aspects
(technological, social, legal, economical) through
technical and criminological approaches.
Observe those true criminal actions “on the field” .
Understand the different motivations and identify the
actors involved (who, not “how”).
Apply the profiling methodology to collected data (4W: who, where, when, why).
Acquire and disseminate knowledge.
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP Questionnaires: the modules
23
Module B Relational data (relationship with: the Authorities, teachers/employers, friends/colleagues, other hackers)
Module C Technical and criminological data (targets, techniques/tools, motivations, ethics, perception of the illegality of their own activity, crimes committed, deterrence)
Module A
Personal data (gender, age, social status,
family context, study/work)
All questions allow
anonymous answers
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Some numbers
24
Total received questionnaires: # +1200
Full questionnaires filled out - # +600*
Compact questionnaires filled out - #573*
*since September 2006
Mainly from: USA Italy UK Canada Lithuania Australia Malaysia Germany Brazil
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Evaluation & Correlation standards
25
Modus Operandi (MO)
Lone hacker or as a member of a group
Motivations
Selected targets
Relationship between motivations and targets
Hacking career
Principles of the hacker's ethics
Crashed or damaged systems
Perception of the illegality of their own activity
Effect of laws, convictions and technical difficulties as a deterrent
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Zoom: correlation standards
26
Gender and age group
Background and place of residence
How hackers view themselves
Family background
Socio-economic background
Social relationships
Leisure activities
Education
Professional environment
Psychological traits
To be or to appear: the level of self-esteem
Presence of multiple personalities
Psychophysical conditions
Alcohol & drug abuse and dependencies
Definition or self-definition: what is a real hacker?
Relationship data
Handle and nickname
Starting age
Learning and training modalities
The mentor's role
Technical capacities (know-how)
Hacking, phreaking or carding: the reasons behind the choice
Networks, technologies and operating systems
Techniques used to penetrate a system
Individual and group attacks
The art of war: examples of attack techniques
Operating inside a target system
The hacker’s signature
Relationships with the System Administrators
Motivations
The power trip
Lone hackers
Hacker groups
Favourite targets and reasons
Specializations
Principles of the Hacker Ethics
Acceptance or refusal of the Hacker Ethics
Crashed systems
Hacking/phreaking addiction
Perception of the illegality of their actions
Offences perpetrated with the aid of IT devices
Offences perpetrated without the use of IT devices
Fear of discovery, arrest and conviction
The law as deterrent
Effect of convictions
Leaving the hacker scene
Beyond hacking
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP V1.0: the emerged profiles…
27
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
28
Profile OFFENDER ID LONE / GROUP HACKER
TARGET MOTIVATIONS / PURPOSES
Wanna Be Lamer 9-16 years “I would like to be a hacker, but I can’t”
GROUP End-User For fashion, It’s “cool” => to boast and brag
Script Kiddie 10-18 years The script boy
GROUP: but they may act alone
SME / Specific security flaws
To give vent of their anger / attract mass-media attention
Cracker 17-30 years The destructor, burned ground
LONE Business company To demonstrate their power / attract mass-media attention
Ethical Hacker 15-50 years The “ethical” hacker’s world
LONE / GROUP (only for fun)
Vendor / Technology For curiosity (to learn) and altruistic purposes
Quiet, Paranoid, Skilled Hacker
16-40 years The very specialized and paranoid attacker
LONE On necessity For curiosity (to learn) => egoistic purposes
Cyber-Warrior 18-50 years The soldier, hacking for money
LONE “Symbol” business company / End-User
For profit
Industrial Spy 22-45 years Industrial espionage
LONE Business company / Corporation
For profit
Government Agent 25-45 years CIA, Mossad, FBI, etc.
LONE / GROUP Government / Suspected Terrorist/ Strategic company/ Individual
Espionage/ Counter-espionage Vulnerability test Activity-monitoring
Military Hacker 25-45 years LONE / GROUP Government / Strategic company
Monitoring / controlling / crashing systems
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Some comments
Since 1999 I’ve attended most of the so-
called «hacking conferences».
Over the last 5 years, I’ve travelled as a
speaker, evangelist, security bitch and
whatever in: • .mil environments (EU, Eastern Europe)
• India
• China
• GCC Area
• Malaysia
29
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
30
OBEDIENCE TO
THE
“HACKER
ETHICS”
CRASHED / DAMAGED
SYSTEMS
PERCEPTION OF THE
ILLEGALITY OF THEIR
OWN ACTIVITY
Wanna Be Lamer
NO: they don’t
know “Hacker
Ethics” principles
YES: voluntarily or not
(inexperience, lack of
technical skills)
YES: but they think they
will never be caught
Script Kiddie NO: they create
their own ethics
NO: but they delete /
modify data
YES: but they justify their
actions
Cracker
NO: for them the
“Hacker Ethics”
doesn’t exist
YES: always voluntarily YES but: MORAL
DISCHARGE
Ethical Hacker YES: they defend it NEVER: it could happen
only incidentally
YES: but they consider
their activity morally
acceptable
Quiet, Paranoid, Skilled
Hacker
NO: they have their
own personal ethics,
often similar to the
“Hacker Ethics”
NO
YES: they feel guilty for
the upset caused to
SysAdmins and victims
Cyber-Warrior NO
YES: they also
delete/modify/steal and sell
data
YES: but they are without
scruple
Industrial Spy
NO: but they follow
some unwritten
“professional” rules
NO: they only steal and
sell data
YES: but they are without
scruple
Government Agent NO: they betray the
“Hacker Ethics”
YES (including
deleting/modifying/stealing
data) / NO (in stealth
attacks)
Military Hacker NO: they betray the
“Hacker Ethics”
YES (including
deleting/modifying/stealing
data) / NO (in stealth
attacks)
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
31
PROFILE MAY BE LINKED TO WILL CHANGE ITS BEHAVIOR?
TARGET (NEW) MOTIVATIONS & PURPOSES
Wanna Be Lamer No
Script Kiddie Urban hacks No Wireless Networks, Internet Café, neighborhood, etc..
Cracker Phishing Spam Black ops
Yes Companies, associations, whatever
Money, Fame, Politics, Religion, etc…
Ethical Hacker Black ops Probably Competitors (Telecom Italia Affair), end-users
Big money
Quiet, Paranoid, Skilled Hacker
Black ops Yes High-level targets Hesoteric request (i.e., hack “Thuraya” for us)
Cyber-Warrior CNIs attacks Gov. attacks
Yes “Symbols”: from Dali Lama to UN, passing through CNIs and business companies
Intelligence ?
Industrial Spy Yes Business company / Corporation
For profit
Government Agent Probably Government / Suspected Terrorist/ Strategic company/ Individual
Espionage/ Counter-espionage Vulnerability test Activity-monitoring
Military Hacker Probably Government / Strategic company
Monitoring / controlling / crashing systems
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
32
DETERRENCE
EFFECT OF: LAWS
CONVICTIONS
SUFFERED BY
OTHER
HACKERS
CONVICTIONS
SUFFERED BY
THEM
TECHNICAL
DIFFICULTIES
Wanna Be Lamer NULL NULL ALMOST NULL HIGH
Script Kiddie NULL NULL
HIGH: they stop
after the 1st
conviction
HIGH
Cracker NULL NULL NULL MEDIUM
Ethical Hacker NULL NULL
HIGH: they stop
after the 1st
conviction
NULL
Quiet, Paranoid,
Skilled Hacker NULL NULL NULL NULL
Cyber-Warrior NULL NULL NULL NULL: they do it
as a job
Industrial Spy NULL NULL NULL NULL: they do it
as a job
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP V2.0: what happened? VERY simple:
Lack of funding: for phases 3&4 we need money!
• HW, SW, Analysts, Translators
We started back in 2004: «romantic hackers», + we foreseen those «new» actors tough: .GOV,
.MIL, Intelligence.
We missed out:
• Hacktivism (!);
• Cybercriminals out of the «hobbystic» approach;
• OC;
• The financial aspects (Follow the Money!!). 33
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP V2.0: next enhancements
34
1. Wannabe Lamer
2. Script kiddie: under development (Web Defacers, DDoS, links with
distributed teams i.e. Anonymous….)
3. Cracker: under development (Hacking on-demand, “outsourced”;
links with Organized Crime)
4. Ethical hacker: under development (security researchers, ethical
hacking groups)
5. Quiet, paranoid, skilled hacker (elite, unexplained hacks? Vodafone
GR? NYSE? Lybia TLC systems?)
6. Cyber-warrior: to be developed
7. Industrial spy: to be developed (links with Organized Crimes &
Governments i.e. Comodo, DigiNotar and RSA hacks?)
8. Government agent: to be developed (“N” countries..)
9. Military hacker: to be developed (India, China, N./S. Korea, etc.)
X. Money Mules? Ignorant “DDoSsers”? (i.e. LOIC by Anonymous)
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
35
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
HPP V2.0: upcoming goals
36
Going after Cybercriminals:
Kingpins & Master minds (the “Man at the Top”)
o Organized Crime
o MO, Business Model, Kingpins – “How To”
Techies hired by the Organized Crime (i.e. Romania & skimming at the very beginning; Nigerian cons; Ukraine Rogue
AV; Pharma ADV Campaigns; ESTDomains in Estonia; etc..)
Structure, Infrastructures (possible links with Govs & Mils?)
Money Laundering: Follow the money (Not just “e-mules”: new frameworks to “cash-out”)
Outsourcing: malware factories (Stuxnet? DuQu? Flame? ….)
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Conclusions
37
The whole Project is self-funded and based on independent research methodologies.
Despite many problems, we have been carrying out the Project for years.
The final methodology will be released under GNU/FDL and distributed through ISECOM.
It is welcome the research centres, public and private institutions, and governmental agencies' interest in the Project.
We think that we are elaborating something beautiful...
…something that did not exist…
…and it seems – really – to have a sense ! :)
It is not a simple challenge. However, we think to be on the right path.
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Useful Community Sources ●Kingpin, 2012
●Profiling Hackers: the Science of Criminal Profiling as applied to the world of hacking, CRC Press/Taylor & Francis Group, 2009
●H.P.P. Questionnaires 2005-2010
● Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs, 2010
● Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007
● Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003
● Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House Australia, 1997
● The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket (2000)
● Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995
● Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997
● Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996
● The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997
● The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002
● The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004
● @ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Useful Community Sources ●The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper)
●Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper)
●Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008
●The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002
●Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995
●Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004
●Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004
●Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002
●Compendio di criminologia, Ponti G., Raffaello Cortina, 1991
● Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense, vol.X, Il cambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988
● United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review of Criminal Policy – Nos. 43 and 44
● Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, Angelo Zappalà, McGraw Hill, 2001
● Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive Criminal Profiling Techniques, Turvey B., Knowledge Solutions Library, January, 1998
●Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute of Technology
● Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law, Psychology, Täterpro
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
And...a gift for you all here!
●Get your own, FREE copy of “F3” (Freedom from
●Fear, the United Nations magazine) issue #7, totally focused on Cybercrimes!
●DOWNLOAD:
●www.FreedomFromFearMagazine.org
●Or, email me and I will send you the full PDF (10MB)
Key Note @ DefCamp 2013
Bucharest, Romania – November 29th , 2013
Contacts
• Contact presenter at [email protected] if you
are interested in:
• Asking questions, getting material (links, books..)
Contact presenter at [email protected] if you are
interested in:
• Helping with the project, supporting us, donations
Public Key: http://raoul.EU.org/RaoulChiesa.asc